Integration 13 March 2026 · 8 min read

Self-Hosted KYC for Your Crypto Exchange.
One Plugin Install.

Every HollaEx exchange operator pays a recurring tax to cloud KYC providers. Your users' passport photos, selfies, and biometric data leave your infrastructure, land on someone else's servers, and you pay $1–3 per verification for the privilege. The FaceVault HollaEx plugin replaces that entire dependency with a single JSON file. Your KYC pipeline runs on your servers. Your users' data never leaves your infrastructure. And pricing is flat — no annual contracts, no opaque per-verification surcharges.

The Problem: Every Exchange Pays a KYC Tax

If you run a crypto exchange on HollaEx, you need KYC. Regulators require it. Users expect it. And the default path is either HollaEx's built-in KYC plugin — which requires your staff to manually review every passport, selfie, and proof of address uploaded to an S3 bucket — or a cloud provider like Sumsub where you pay $1–3 per verification and your users' biometric data leaves your infrastructure entirely.

Neither scales. Manual review becomes a staffing bottleneck at 50+ sign-ups per day. Cloud KYC becomes a cost centre that grows linearly with your user base. The problems compound:

▶

Data leaves your infrastructure

Passport photos, government IDs, and facial biometrics are uploaded to a third-party server you don't control. If they get breached, your users' data is exposed — and your exchange takes the reputational hit.

▶

Pricing is opaque and per-verification

$1–3 per verification sounds manageable until you're processing 10,000 per month. That's $10K–30K per month for API calls to someone else's ML models. Enterprise plans require annual commitments and sales calls.

▶

You become a data processor

Under GDPR and similar regulations, sending biometric data to a third party adds legal complexity. You need a Data Processing Agreement, you need to audit their retention policies, and you need to trust that they actually delete data when they say they do.

▶

Manual review doesn't scale

HollaEx's built-in KYC uploads documents to your S3 bucket and waits for staff to approve or reject. No face matching, no liveness, no fraud detection. At 100 sign-ups/day with 5-minute reviews, that's 8+ hours of staff time daily — and a compliance team you didn't budget for.

The FaceVault HollaEx plugin eliminates all four. AI handles 95% of verifications automatically. KYC processing happens on your servers. Photos and biometrics are encrypted at rest with keys you control. And pricing starts at $0.35/check — not $1–3.

How the Plugin Works

The plugin is a standard HollaEx JSON plugin. Three steps to install, no custom code required.

Installation

shell

hollaex plugin --install --file facevault-kyc.json

After installing, configure the plugin with your FaceVault credentials:

Configuration

Parameter	Required	Description
`api_key`	Yes	Your FaceVault API key (starts with `fv_live_`)
`api_url`	Yes	FaceVault API endpoint (`https://facevault.id/api/v1`)
`webhook_secret`	Yes	HMAC-SHA256 secret for verifying webhook signatures
`verified_level`	Yes	HollaEx user level to assign on successful verification (e.g., `2`)
`require_poa`	No	Require proof of address (utility bill, bank statement). Default: `false`

Set your webhook URL in the FaceVault dashboard so the plugin receives verification results:

webhook url

https://your-exchange.com/plugins/facevault/webhook

The Flow

Once installed, this is what happens when a user clicks "Verify" on your exchange:

User clicks "Verify" on exchange
        |
Plugin creates FaceVault session
        |
User redirected to FaceVault KYC webapp
        |
ID scan -> Tilt challenge -> Liveness -> Selfie -> (optional PoA)
        |
FaceVault webhook fires (HMAC-signed)
        |
Plugin updates user verification level

The plugin handles session creation, redirect, and webhook processing automatically. When FaceVault's trust engine returns an "accept" decision, the plugin upgrades the user to your configured verified_level. If the decision is "review," the user stays at their current level until an admin resolves it. If it's "reject," the user can retry up to three times before being locked out.

Webhook security: Every webhook payload is signed with HMAC-SHA256. The plugin verifies the signature before processing — a forged request from an attacker will be rejected before it touches your user database. The signing secret is set once during configuration and never transmitted in plaintext.

What Your Users See

The verification flow is designed to be fast and familiar. Users complete the entire process in under 90 seconds on a modern smartphone. Here is each step:

1 ID Document Scan

The camera opens and guides the user to position their ID card or passport. Edge detection automatically identifies the document boundaries — four corners must be visible for five consecutive frames before capture triggers. No manual shutter button. The system detects and rejects blurry images (Laplacian variance below 35.0) before uploading, so users get immediate feedback instead of waiting for server-side rejection.

2 Tilt Challenge

After the flat scan, the user is prompted to tilt their ID toward the camera. This is the primary defense against screen-of-a-screen attacks. A photo displayed on a monitor or phone screen cannot reproduce the perspective warp of a physical card being tilted. The system compares the tilted and flat captures using warp-and-compare analysis and sub-pixel fringing detection.

3 Liveness Detection

The front camera activates and asks the user to turn their head. This is not a simple "blink test." FaceVault runs an 11-signal anti-spoofing fusion scorer that analyzes texture gradients, JPEG compression artifacts, color distribution, noise patterns, and more. The system catches printed photos, screen replays, and basic deepfakes. A score below 0.50 caps the verification to manual review.

4 Selfie and Face Match

A selfie is captured and compared against the face on the ID document using ArcFace embeddings (cosine distance threshold: 0.45). The system also checks for same-photo replay attacks — if the selfie and ID face are suspiciously identical (distance below 0.05), the session is force-rejected. This catches the trivial attack of holding the same photo up to both the ID scan and selfie prompts.

5 Proof of Address (Optional)

If require_poa is enabled, the user is prompted to scan a utility bill, bank statement, or similar document. OCR extracts the name, address, document date, and issuer. The extracted name is cross-checked against the ID document — a match adds a trust bonus, a mismatch applies a penalty. Users can also upload a PDF or image from their gallery instead of using the camera.

Tor-friendly: The KYC webapp works over Tor hidden services. Users on Tor automatically get a static file picker instead of camera access (Tor Browser blocks getUserMedia). This matters if your exchange serves privacy-conscious users who access your platform through Tor.

Trust Scoring and User Levels

FaceVault does not return a simple pass/fail. The trust engine computes a score from 0 to 100 based on three weighted signals: face match (40%), anti-spoofing (35%), and document fraud detection (25%). Additional modifiers apply for document cross-checks, GPS metadata, gyroscope motion, and other device signals.

The score maps to three decisions, which the plugin translates into HollaEx user level changes:

Trust Score	Decision	Plugin Action
70 – 100	Accept	User upgraded to `verified_level` automatically
40 – 69	Review	User stays at current level; flagged for admin review
0 – 39	Reject	User can retry (up to 3 attempts); remains unverified

Hard vetoes override the score entirely. If the face match fails (distance above 0.45), the session is force-rejected regardless of how well the other signals scored. If anti-spoofing is below 0.50 or document fraud detection is below 0.68, the session is capped at "review" — it can never auto-accept, even if the composite score would otherwise be above 70.

For exchange operators: The trust score and all sub-signals (face distance, anti-spoofing breakdown, document fraud score) are visible in the FaceVault dashboard. When a session lands in "review," your compliance team can see exactly which signal triggered it and make an informed decision — not a blind approve/deny.

Why Not Just Use Sumsub?

Sumsub works. It is a mature product with broad document coverage and a well-documented API. If you are a large exchange with a dedicated compliance team and a six-figure KYC budget, it is a reasonable choice. But for most HollaEx operators — smaller exchanges, white-label deployments, privacy-focused platforms — the tradeoffs are significant.

	FaceVault	Cloud KYC (Sumsub, etc.)
Data residency	Your servers	Their cloud
Per-verification cost	$0.35 – $0.99	$1 – $3+
Annual contract	No — month-to-month	Typically required
Encryption	AES-256-GCM + BYOK	Provider-managed
Tor support	Yes (hidden service)	No
Third-party data processor	No	Yes
Crypto-shred	Yes (BYOK key deletion)	Depends on provider

The BYOK (Bring Your Own Key) feature deserves special mention. On pro-tier and above, you can supply your own AES-256-GCM encryption key, wrapped via HashiCorp Vault Transit. All photos and PII for your API key are encrypted with your key. If you ever need to guarantee data destruction — for compliance, for a user's right-to-be-forgotten request, or because you're shutting down — you delete the key. The data becomes cryptographically irrecoverable. No trust required; it's math.

To be clear: FaceVault is not a drop-in replacement for every feature Sumsub offers. Sumsub has wider document template coverage, transaction monitoring, and a larger compliance team behind it. But if your priority is data sovereignty, predictable pricing, and keeping biometric data off third-party servers, FaceVault is purpose-built for that.

Get Started

The full installation takes under 10 minutes:

Create a FaceVault account

Sign up at devdash.facevault.id. The free tier includes 50 verifications per month — enough to test the integration end-to-end before committing to a paid plan.

Generate an API key and webhook secret

In the dashboard, create an API key and note the webhook secret. Set the webhook URL to your exchange's plugin endpoint: https://your-exchange.com/plugins/facevault/webhook

Install the plugin

Download facevault-kyc.json from the integrations page and install it with hollaex plugin --install --file facevault-kyc.json. Enter your API key, webhook secret, and desired verification level when prompted.

That is it. Your exchange now has self-hosted KYC. Users who click "Verify" will be guided through the FaceVault verification flow, and successful verifications will automatically upgrade their account level. No code changes to your exchange, no additional infrastructure, no ongoing vendor management.

Create Free Account View Integration Guide

References

FaceVault Integration Guide — plugin download, configuration reference, webhook format

FaceVault API Documentation — full API reference, SDKs, quickstart

Self-Hosted vs Cloud KYC: What Actually Changes — detailed comparison of deployment models

FaceVault vs Sumsub — feature-by-feature comparison

Self-Hosted KYC for Your Crypto Exchange. One Plugin Install.